WHAT IS CLAIMED IS: 



1 . A method of managing access to a network, comprising the step of 
providing a challenge-handshake protocol within an Extensible Authentication Protocol 
for authentication between a client and the network. 

2. The method of claim 1, wherein the challenge-handshake protocol in the 
step of providing is CHAP (Challenge-Handshake Authentication Protocol). 

3. The method of claim 1, wherein authentication in the step of providing is 
performed mutually between the client and the network. 

4. The method of claim 1 , wherein the challenge-handshake protocol 
comprises the step of mutually authenticating a client and the network in response to a 
single sign-on by a user of the client. 

5 . The method of claim 1 , wherein the challenge-handshake protocol in the 

step of providing facilitates authentication between the network and the client, which 
client is a wireless cUent, 

6. The method of claim 1, wherein the challenge-handshake protocol in the 
step of providing facilitates authentication between the network and the client, which 
client is a wired cUent. 

7. The method of claim 1, further comprising the step of deriving a session 
key for enabling secure communications between the cUent and the network. 
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8. The method of claim 1, further comprising the step of deriving a network 
session key and a client session key, wherein the cUent session key is derived 
independently of the network session key, which both the network session key and the 
client session key are utiUzed for enabling secure communications between the client and 
the network. 

9. The method of claim 8, wherein the network session key is derived from a 
usemame of a user input to the cUent and transmitted to the network. 

10. The method of claim 1 , wherein the challenge-handshake protocol in the 
step of providing is utilized between an authentication server disposed on the network 
and the client, the authentication server performing an authentication of the client, 
followed by the client performing an authentication of the network. 

1 1 . The method of claim 1 , further comprising the step of deriving a network 
session key and a client session key, whereafter successful authentication of both the 
cUent to the network and the network to the client, the network session key is used to 
both create a packet signature and to encrypt a key value of a multicast key that is 
transmitted from the network to the client. 

12. The method of claim 1 , wherein the network includes an authentication 
server disposed thereon for providing authentication services and a network access server 
disposed thereon for providing communications between the client and the authentication 
server, whereafter successful mutual authentication between the authentication server and 
the client, the authentication server passes a session key to the network access server 
utilizing vendor-specific attribute data. 

13. The method of claim 1, wherein the client is a wireless client including a 
network interface device, the network interface device adapted to host the challenge- 
handshake protocol utilized for authentication between the wireless client and the 

network. 
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14. A system of managing access to a network, comprising: 

an authentication server disposed on the network to provide an 
authentication service; and 

a network access server disposed on the network in communication with a 
client seeking access to the network; 

wherein the authentication server and the client are adapted to 
communicate utilizing a challenge-handshake protocol within an Extensible 
Authentication Protocol for authentication of the client and the authentication server. 

15. The system of claim 14, wherein the challenge-handshake protocol is 
CHAP (Challenge-Handshake Authentication Protocol). 

16. The system of claim 14, wherein the authentication is performed mutually 
between the client and the authentication server. 

17. The system of claim 14, wherein the challenge-handshake protocol is 
utilized to mutual authenticate the client and the authentication server in response to a 
single sign-on by a user of the client. 

18. The system of claim 14, wherein the challenge-handshake protocol 
facilitates authentication between the network and the client, which is a wireless client. 

19. The system of claim 14, wherein the challenge-handshake protocol 
facilitates authentication between the network and the client, which client is a wired 
client. 

20. The system of claim 14, wherein a session key is derived for enabHng 
secure communications between the client and the network access server. 
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21 . The system of claim 14, wherein a network session key and a client 
session key are derived, which client session key is derived independently of the network 
session key, which both the network session key and the client session key are utilized 
for enabling secure communications between the client and the network access server. 

22. The system of claim 21, wherein the network session key is derived from 
a usemame of a user input to the cUent and transmitted to the authentication server. 

23. The system of claim 14, wherein the authentication server performs an 
authentication of the client, followed by the client performing an authentication of the 
authentication server. 

24. The system of claim 14, wherein a network session key and a client 
session key are derived, whereafter successful authentication of both the client to the 
network and the network to the client, the network session key is used to both create a 
packet signature and to encrypt a key value of a multicast key that is transmitted from the 
network access server to the client. 

25. The system of claim 14, wherein after successful mutual authentication 
between the authentication server and the client, the authentication server passes a 
session key to the network access server utiUzing vendor-specific attribute data. 

26. The system of claim 14, wherein the client is a wireless client including a 
network interface device, the network interface device adapted to host the challenge- 
handshake protocol utilized for authentication between the wireless client and the 
network. 

27. The system of claim 15, wherein the network access server is a network 
switch adapted to facilitate communication between the authentication server and the 
client, which client is a wired client. 
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